|
[求助]奋斗了一天了,来点总结
建议楼主: 首先不用太复杂的行为捕获引擎,SSDT Hook之流的就行,重要的是把这些FD\AD\RD行为整理.. 然后是挑选一种好的智能算法进行分类,除了你说的以上算法,其实可以考虑 贝叶斯分类(比较经典) 攻击决策树(川大有篇博士论文讲这个的,感觉很不错) 隐马尔可夫链 行为序列分析(这个是基于序列之间的关系进行分析) 还要谨记:甭管用神马算法,规则库之类的东西都得有... 这个题我以前考虑过,不过没做出任何成果,惭愧的飘过 |
|
|
|
|
|
|
|
[原创]专科生的呐喊
人生有很多改变命运的机会,努力即可..加油~ |
|
[原创]纳斯达克上市的大游戏公司(SOHU 畅游 www.changyou.com)招聘 安全开发研究人员
请LZ解释下是$8500/month 还是 $8500/year |
|
[分享]Hot!《Java加密与解密的艺术》试评员招募(免费申领样书)火热进行中~
申领 信息安全专业学子,主要做Win32平台下的用户态和内核态的安全编程,希望从这本书了 解下Java安全相关的知识,谢谢。 |
|
[求助]win7下端口进程对应关系
客气客气,谢谢你帮俺测试老..啊哈哈。 |
|
[十周年]“看雪十年 相伴你我”现场直播[照片]
去了又送东西又请吃饭,结果抽奖俺又抽中了,太TM过瘾了... |
|
[求助]win7下端口进程对应关系
不知道Win7下好使不...试下顺便跟俺说下哈。 |
|
[求助]win7下端口进程对应关系
//Netstat -anb #pragma once #pragma once #include <Windows.h> #include <Psapi.h> #include <Iprtrmib.h> #pragma comment(lib,"Iphlpapi.Lib") #pragma comment(lib,"Psapi.lib") #pragma comment(lib,"WS2_32.lib") typedef struct{ DWORD dwState; //连接状态 DWORD dwLocalAddr; //本地地址 DWORD dwLocalPort; //本地端口 DWORD dwRemoteAddr; //远程地址 DWORD dwRemotePort; //远程端口 DWORD dwProcessId; //进程标识 }MIB_TCPEXROW,*PMIB_TCPEXROW; typedef struct{ DWORD dwLocalAddr; //本地地址 DWORD dwLocalPort; //本地端口 DWORD dwProcessId; //进程标识 }MIB_UDPEXROW,*PMIB_UDPEXROW; typedef struct{ DWORD dwState; //连接状态 DWORD dwLocalAddr; //本地地址 DWORD dwLocalPort; //本地端口 DWORD dwRemoteAddr; //远程地址 DWORD dwRemotePort; //远程端口 DWORD dwProcessId; //进程标识 DWORD Unknown; //待定标识 }MIB_TCPEXROW_VISTA,*PMIB_TCPEXROW_VISTA; typedef struct{ DWORD dwNumEntries; MIB_TCPEXROW table[ANY_SIZE]; }MIB_TCPEXTABLE,*PMIB_TCPEXTABLE; typedef struct{ DWORD dwNumEntries; MIB_TCPEXROW_VISTA table[ANY_SIZE]; }MIB_TCPEXTABLE_VISTA,*PMIB_TCPEXTABLE_VISTA; typedef struct{ DWORD dwNumEntries; MIB_UDPEXROW table[ANY_SIZE]; }MIB_UDPEXTABLE,*PMIB_UDPEXTABLE; //enum OSVersion {XP,VISTA,OTHER}; typedef DWORD (WINAPI *PFNAllocateAndGetTcpExTableFromStack)( PMIB_TCPEXTABLE *pTcpTabel, bool bOrder, HANDLE heap, DWORD zero, DWORD flags ); typedef DWORD (WINAPI *PFNAllocateAndGetUdpExTableFromStack)( PMIB_UDPEXTABLE *pUdpTable, bool bOrder, HANDLE heap, DWORD zero, DWORD flags ); typedef DWORD (WINAPI *_InternalGetTcpTable2)( PMIB_TCPEXTABLE_VISTA *pTcpTable_Vista, HANDLE heap, DWORD flags ); typedef DWORD (WINAPI *_InternalGetUdpTableWithOwnerPid)( PMIB_UDPEXTABLE *pUdpTable, HANDLE heap, DWORD flags ); //************************************ // Method: GetProcInfo // FullName: GetProcInfo // Access: public // Returns: DWORD if success,return PID;else,return -1 // Qualifier: // Parameter: DWORD type UDP==0 TCP==1 // Parameter: DWORD port // Parameter: LPCTSTR lpExeName // Parameter: LPCTSTR lpExePath //************************************ DWORD GetProcInfo(BOOL type,DWORD port,LPWSTR lpExeName,LPWSTR lpExePath) { HMODULE hModule = LoadLibrary(L"iphlpapi.dll"); if (hModule == NULL) return -1; if (type) { //声明未文档函数 PFNAllocateAndGetTcpExTableFromStack pAllcoteAndGetTcpExTableFromStack; pAllcoteAndGetTcpExTableFromStack = (PFNAllocateAndGetTcpExTableFromStack)GetProcAddress(hModule,"AllocateAndGetTcpExTableFromStack"); if (pAllcoteAndGetTcpExTableFromStack != NULL) { PMIB_TCPEXTABLE pTcpExTable; if (pAllcoteAndGetTcpExTableFromStack(&pTcpExTable,TRUE,GetProcessHeap(),2,2) != 0) return -1; for (UINT i=0;i<pTcpExTable->dwNumEntries;i++) { int temp = ntohs(0x0000FFFF&pTcpExTable->table[i].dwLocalPort); if (port == temp) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,pTcpExTable->table[i].dwProcessId); GetModuleBaseName(hProcess,NULL,lpExeName,MAX_PATH); GetModuleFileNameEx(hProcess,NULL,lpExePath,MAX_PATH); return pTcpExTable->table[i].dwProcessId; } } return -1; } else { PMIB_TCPEXTABLE_VISTA pTcpTable_Vista; _InternalGetTcpTable2 pGetTcpTable = (_InternalGetTcpTable2)GetProcAddress(hModule,"InternalGetTcpTable2"); if (pGetTcpTable == NULL) return -1; if (pGetTcpTable(&pTcpTable_Vista,GetProcessHeap(),1)) return -1; for (UINT i=0;i<pTcpTable_Vista->dwNumEntries;i++) { if (port == pTcpTable_Vista->table[i] .dwLocalPort) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,pTcpTable_Vista->table[i].dwProcessId); GetModuleBaseName(hProcess,NULL,lpExeName,MAX_PATH); GetModuleFileNameEx(hProcess,NULL,lpExePath,MAX_PATH); return pTcpTable_Vista->table[i].dwProcessId; } } return -1; } } else { //声明未文档函数 //UDP端口信息结构体 PMIB_UDPEXTABLE pUdpExTable; PFNAllocateAndGetUdpExTableFromStack pAllcoteAndGetUdpExTableFromStack; pAllcoteAndGetUdpExTableFromStack = (PFNAllocateAndGetUdpExTableFromStack)GetProcAddress(hModule,"AllocateAndGetUdpExTableFromStack"); if (pAllcoteAndGetUdpExTableFromStack != NULL) { if (pAllcoteAndGetUdpExTableFromStack(&pUdpExTable,TRUE,GetProcessHeap(),2,2) != 0) return -1; for (UINT i=0;i<pUdpExTable->dwNumEntries;i++) { if (port == ntohs(0x0000FFFF&pUdpExTable->table[i].dwLocalPort)) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,pUdpExTable->table[i].dwProcessId); GetModuleBaseName(hProcess,NULL,lpExeName,MAX_PATH); GetModuleFileNameEx(hProcess,NULL,lpExePath,MAX_PATH); return pUdpExTable->table[i].dwProcessId; } } return -1; } else { _InternalGetUdpTableWithOwnerPid pGetUdpTable; pGetUdpTable = (_InternalGetUdpTableWithOwnerPid)GetProcAddress(hModule,"InternalGetUdpTableWithOwnerPid"); if (pGetUdpTable != NULL) { if (pGetUdpTable(&pUdpExTable,GetProcessHeap(),1)) return -1; for (UINT i=0;i<pUdpExTable->dwNumEntries;i++) { if (port == pUdpExTable->table[i].dwLocalPort) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,pUdpExTable->table[i].dwProcessId); GetModuleBaseName(hProcess,NULL,lpExeName,MAX_PATH); GetModuleFileNameEx(hProcess,NULL,lpExePath,MAX_PATH); return pUdpExTable->table[i].dwProcessId; } } } return -1; } } } int main() { WCHAR szExeName[MAX_PATH] = {0}; WCHAR szExePath[MAX_PATH] = {0}; int type,port; cout<<"TCP==1 UDP==0"<<endl <<"Protocol:"; cin>>type; cout<<"Port:";cin>>port; DWORD dwPid = GetProcInfo(type,port,szExeName,szExePath); if (dwPid != -1) { wcout<<dwPid<<"\t"<<szExeName<<"\t"<<szExePath<<endl; } else { cout<<"Error!"<<endl; } return 0; } |
|
[求助]win7下端口进程对应关系
XP: AllocateAndGetTcpExTableFromStack() Vista: InternalGetTcpTable2 InternalGetUdpTableWithOwnerPid Win7不知道上面的还能用不,貌似是不能了... |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值